https://bugzilla.suse.com/show_bug.cgi?id=1197083 Bug ID: 1197083 Summary: VUL-0: weechat: Possible man-in-the-middle attack in TLS connection to servers Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Other Assignee: mimi.vx@gmail.com Reporter: gianluca.gabrielli@suse.com QA Contact: qa-bugs@suse.de CC: security-team@suse.de Found By: --- Blocker: --- Description After changing the options weechat.network.gnutls_ca_system or weechat.network.gnutls_ca_user, the TLS verification function is lost. Consequently, any connection to a server with TLS is made without verifying the certificate, which could lead to a man-in-the-middle attack. Connection to IRC servers with TLS is affected, as well as any connection a server made by a plugin or a script using the function hook_connect. Mitigation After changing options weechat.network.gnutls_ca_system or weechat.network.gnutls_ca_user, you must restart WeeChat. References: https://weechat.org/doc/security/WSA-2022-1/ -- You are receiving this mail because: You are on the CC list for the bug.